IMHO, I believe its bad thinking if one runs a vulnerability scanner and then runs metasploit, canvas or even core on the network and if you have a clean read you announce the network safe. Sure it’s a great start and perhaps you can state the network is free from a script kiddies’ attacks as far as that kind of exploit goes, but there are software exploits that these tools are unaware of. There is a very select and private group out there that has some exploits that they don’t share. One hacker I know claimed to be aware of a small group that passed around among themselves almost 10 window exploits that Microsoft wasn’t aware and I believe him because he always seemed credible in my past dealings with him. We all know that poor programming results in the ability to exploit sometimes. Windows XP has about 40 million lines of code and a common estimate used in the industry is that there are between 5 – 50 bugs per 1000 lines of code. Sad but often true due to time pressures placed on programmers among other reasons. A middle of the road estimate would be that XP has about 1,200,000 bugs! That equals a lot of potential for exploits.

Last edited by Kev on Mon Jul 10, 2006 11:16 pm, edited 1 time in total.

I agree totally Kev. Never can one guarantee a site secure. I'm pouring through books by Skoudis and others in the area of exposing attackers methods. The problem is that things change so quickly, books are out of date fairly quickly. Still a great education though.

I guess we will continue to have job security which I can't complain about, but we in security must continually educate ourselves because the terrain is always changing.

Thanks for your comment. Yes there should be job security in this field. So much so that if I were to council any young person as far as a career is concerned, this would be the one. Things will change and hacking will get more difficult, but this will be the new battle ground as our lives even get more automated. One other thought. In no way do I want it to appear by my post that I don’t recommend tools like Core and Canvas. On the other hand I find them a great asset. In fact I have found that certain corporate types really like it if you use a commercial grade pen testing software that’s nationally recognized. If you don’t use either and you have been having a little problem selling a pen test, try selling the idea that you are using high level commercial grade penetration testing software that is licensed to qualified security individuals and has been used on many fortune 500 companies. I promise you will see that corporate eye brow rise up a little in interest.

Unfortunately as security professionals, just like law enforcement, we have to be prepared to stop every type of intrusion. That's just the nature of being on the white hat side of the equation. The black hats only need to exploit one vulnerability. The white hats need to plug them all - even when we don't know they exist!

So yes, using automated pen testing tools will never allow you to get the entire picture. Multiple tools will always be the rule of thumb. But the automated tools give you a great foundation from which to start.

As for job security, it is the mind that is valuable not the tool. It is great and essential to be able to use the available tools, but it is far more valuable to have a mind that can think of creative ways to solve difficult problems or extrapolate extra possibilities from data based on experience. An automated tool can't do that. This is true for our field as well as any other.

But keep up the good work guys of informing the masses. There are plenty of so-called professionals out there that do a Nessus scan and hand the canned report to the client or boss. Even worse, they post the html results on a server that can be googled! Nice work if you can get it, but most of us take more pride in our work as well as have a genuine interest in helping the client or your own place of business.

never forget that the problem with vulnerability scanners is that they only check for known vulnerabilities.

if i was truly locking down a network i would be more worried about if my apps were vulnerable to 0day attacks or undiscovered weaknesses in the software than if i passed a nessus scan.

that being said, i understand MSF, Canvas, and Core Impact to be exploit frameworks rather than vulnerability scanners, which is a big difference. those tools give someone the ability to write their own checks and exploits versus relying on whats available on the net.

Due to the fact that one ever knows what 0day exploit might pop up, I feel the response to having your security breached is just as or perhaps even more important. Some admins stick their head in the sand when it comes to dealing with such things, hoping that they can make their network impenetrable. While that is the ultimate goal, what happens if the unthinkable occurs? You had your system total patched, an awesome firewall and DMZ in place, etc but still someone slips in? What are your policies in such an event?

Agreed. There is a great story told by Ed Skoudis in his book Counter Hack about a panic call he receives from an admin he knows. Seems that someone hacked his network and needed Skoudis’s help. Turns out the admin hadn’t prepared anything for such an event. Hadn’t implemented tripwire, etc… I love his stories and I am sure that was a great lesson for that guy!

I agree with you if your goal is to lock down every attack vector and you have limitless funds and resources. Most companies that I have worked for have had little of both, so you have to balance, I think, the risk/probability with the cost/effort. I would love to do what you suggest to the nth degree.

However, if most companies would at least run auto tools regularly and fix what they find (or knowingly accept the risk in some areas), we'd be better off. I wish more companies would do at least that.

I think if you can at least lock down the basics, you can successfully get the skiddie and others slightly above her to move on to an easier target. Automated tools help you get there, but as you said, they can't do it all.

Let me clarify: I'm speaking in terms of what I feel a security professional's goal is: maximize profits. That of course means you weight cost/effort against the risk and only put in/recommend the security that is "needed" and cost beneficial for the company. The problem is in accurately determining (sometimes called guessing) what the probability a threat has--and that's different depending on the company and the industry.

It's not an exact science. I have seen simple vulnerabilities go untouched for years. Some things are just not found. They all give me pause, but I can't expect each industry to lock down like it's a financial institution. But at the same time, I can't expect companies to lock down things that won't lead to much of a loss, even if it is exploited; sometimes the cost is just too high and it's cheaper to clean up IF IT HAPPENS.

I know many of you will disagree, but that's what forums are all about: sharing perspectives and being stretched out of your comfort zone--and pondering what others advocate.

Kev, I enjoy your perspective. Keep it up. And congrats on your prize!

hummm... but many people say that Canvas have a team that just research 0day vulnerabilitys and they sell it separed to integrated into Canvas. 0day (private) vulnerabilitys include Oracle, Windows, etc. So this really can help, ahn?

ps: Someone here already seen/used this pack for Canvas? What do you mean?